Meet Ranscam: The Scam Giving Ransomware a Bad Name

Meet Ranscam: The Scam Giving Ransomware a Bad Name

Malware peddlers have a lot of nerves these days. The geniuses (take that lightly) behind Ranscam are a prime example. Threat intelligence organization Talos was one of the first cybersecurity specialists to identify the malware strain that looks the part, yet ignores the conventional rules of ransomware.

Like the typical infection, Ranscam notifies you that it has compromised your system and rendered it inaccessible. It goes a step further by threatening to delete every single one of your files if you don’t pay up. That initial warning is enough to spook some users into paying the ransom. Most of us can sympathize with anyone who would rather pay than be without their files. As it turns out, though, Ranscam is exactly that – a big fat scam!

Ranscam, Not Even Ransomware: Just a Scam

When Ranscam goes to work, it’s business as usual. Victims have to pay a ransom of 0.2 bitcoins – roughly $130 USD – to unlock their data. The files are supposedly encrypted on a hidden partition. Ranscam promises the files will be immediately returned intact once payment is made. The malware rattles the victim further by threatening to delete a file each time they click the payment button without following through. But you can click until your heart is content: the darn button doesn’t even work. Apparently the page the authors have set up isn’t configured to accept payment. Victims must request email support in order to transfer the Bitcoin. I thought this was the most mind-boggling tidbit from the Talos post.

Most ransomware creators manage to maintain a shred of integrity. They’re true to their word. They really encrypt your system and decrypt it upon receiving the ransom funds. Users in this scenario are essentially duped and doomed. By now, their files have already been destroyed. Unlike genuine ransomware, Ranscam doesn’t encrypt a single file. These guys don’t care about your data. They simply want your money.

Security experts have spared no quarter in criticizing Ranscam. IT community describes the malware creators as “amateurs”, “lazy”, and “low-tech”. From targeted encryption to the dual threat seen in the case of Petya and Mischa, ransomware has illustrated some rather impressive technical functions. But Ranscam is of a different destructive nature. The malware destroys a number of critical system files. This includes registry keys and files that fire up the Windows System Restore utility.

Though Ranscam succeeded in generating a buzz and some quick cash, it could be a short-lived adventure. There’s no point in paying if your files are gone. The primary wallet associated with Ranscam only collected approximately $278 within the last month. Such a small amount leads security researchers to believe that this little scam may have already run its course.

The Ransomware Family Is Rapidly Growing

Security software firm Symantec provides some insight into recent ransomware trends in its Ransomware and Businesses 2016 report. The report shows Ransomware-as-a-Service (RaaS) is on a growing trend. Inspired by the cloud computing phenomenon in name, RaaS provides a platform that allows anyone to buy tools that create and deploy malware. In exchange for a share of the profits, RaaS platform operators supply executable files and an interface ransomware rookies can use to track victim activity.

Ranscam is a poorly executed excuse for ransomware. Pundits say it isn’t even worthy of the title. Real ransomware, on the other hand, is growing scarier and more advanced by the day. Symantec revealed that hackers now use programming languages like JavaScript, PHP or Python to create ransomware. This tactic is employed to evade malware scanners that specifically seek out code as a method of detection. This is because detectors usually seek code written in C++ to check for ransomware. The report also mentioned strains such as Chimera, which threatens to post personal details like photos and videos online to encourage victims to pay up. These methods and others exhibit a level of expertise Symantec says resembles cyberespionage.

The evolution of ransomware has been nothing short of staggering. 100 new families were discovered in 2015 alone, with crypto-ransomware leading the charge. Crypto-ransomware is the most dangerous of all classes. Malware from this family has been perfected for years. So much that in some cases, the encryption is virtually unbreakable. Traditional security software can’t help, because files are still inaccessible after the malware is removed. According to Symantec, U.S. businesses remain the biggest target. Organizations represent 38 percent of victims in the region that accounts for 31 percent of global infections.

Ranscam sends a harsh message that you can’t always pay to make your problems go away. Forking over the Bitcoin doesn’t necessarily mean that you will recover your files. It also underscores the importance of a comprehensive data protection strategy. Like most malware, ransomware primarily hits through email attachments, infected websites, and malicious software downloads. A good anti-virus program will serve as your first line of defense in protecting your systems by way of prevention.

More than anything, the rapid rise of ransomware serves as a reminder that having a bulletproof business continuity plan is a must. If a Ranscam infection hits or something that really does encrypt your files, you can quickly restore them with versions from your backups. The only way to get around paying a hefty ransom or losing mission-critical files you can’t afford to lose is backing up on a regular basis. It’s the closest thing you’re gonna get to a guarantee.

Recovery Zone Subscription

Related articles:

About the Recovery Zone

This online digest is dedicated to exploring BDR solutions and technology relevant to MSPs, VARs, and IT professionals.

The Recovery Zone is brought to you by StorageCraft, a company that has been producing software solutions for backup, disaster recovery, system migration, virtualization, and data protection for servers, desktops, and laptops since 2003.